Vulnerability in BIND DNS Software Could Allow Hackers to Kill Large Portions of the Internet

BIND, the most widely used software for translating human-friendly domain names into IP addresses used by servers, is plagued by a serious vulnerability that could let a single hacker bring down a huge portion of the Internet, one security researcher has warned.

The vulnerability lies within the way BIND handles certain queries related to transaction key records, affecting all major versions of the software, including 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, alongside 9.10.0 to 9.10.2-P2. Attackers can exploit the vulnerability by sending malformed packets to servers, which in turn, causes vulnerable servers to crash almost instantly.

The company has confirmed that there are no indications that the flaw is being actively exploited in the wild, however, the bug wasn’t disclosed until BIND had a proper fix in place. BIND has been a staple for the Internet’s Domain Name System (DNS) for over three decades now.

Rob Graham, CEO of penetration testing firm Errata Security, reviewed the source code of BIND and the latest advisory that BIND developers issued earlier in the week, making the assessment:

“BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my “masscan” tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn’t mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.

“Its biggest problem is that it has too many features. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today’s bug was in the rarely used “TKEY” feature, for example. DNS servers exposed to the public should have the minimum number of features—the server priding itself on having the maximum number of features is automatically disqualified.”

Generally denial-of-service bugs are marked with a low-severity rating, but a bug that plagues the Internet’s very core makes the risk far higher. Graham often scans large portions of the Internet to get a rough estimate of just how many servers remain vulnerable to the Heartbleed bug among other major software flaws.

While BIND’s code base isn’t quite as large as that of OpenSSL, it’s much slower than is should be, despite it being written using C and C++, Graham said.

“The point I’m trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity,” Graham concluded. “Even if it were written perfectly, it has far too many features to be trustworthy. Its feature-richness makes it a great hidden master, it’s just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver. They shouldn’t rewrite it from scratch, but if they did, they should choose a safe language and not use C/C++.”